问题
In my ASP.NET web application, I use smart card to login. After logged out, I want to make the IIS prompt pin if login again. So the following command is run -
document.execCommand('ClearAuthenticationCache');
It does prompt the selection of certificate. However after pick up the correct certificate, "Validation of viewstate MAC failed" error is thrown.
Machine key has been set in web.config. I test it in a single server.
Can this be fixed?
Is there another way to force relogin without executing the above command?
The error log is like -
<error application="/LM/W3SVC/2/ROOT" host="MMM809-PB8GMTC" type="System.Web.UI.ViewStateException" message="Invalid viewstate. 
	Client IP: 127.0.0.1
	Port: 64307
	Referer: https://localhost:48044/Account/Login.aspx?ReturnUrl=%2f
	Path: /Account/Login.aspx
	User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
	ViewState: /12345678905NTIyMjMwNQ9kFgJmD2QWBAIBD2QWAgIKD2QWAgIBD2QWAmYPDxYEHgRUZXh0BSFSZWxlYXNlIDEwLjguMTogTG9jYWwgRGV2ZWxvcG1lbnQeB1Zpc2libGVnZGQCAw9kFgQCBQ88KwANAQAPFgIeC18hRGF0YUJvdW5kZ2RkAggPZBYGZg8PFgIfAAVPRW50ZXIgeW91ciB1c2VybmFtZSwgcGFzc3dvcmQsIG9yIGluc2VydCB5b3VyIFBJViBDYXJkIGFuZCBjaGVjayB0aGUgYm94IGJlbG93LmRkAgMPDxYCHwFnZGQCBA8PFgIfAWdkFgQCAQ8PFgIfAAVyUGxlYXNlIGluc2VydCB5b3VyIFBJViBDYXJkIGludG8geW91ciB3b3Jrc3RhdGlvbidzIGNhcmQgcmVhZGVyLCBhbmQgY2xpY2sgdGhlICdMb2dpbiBXaXRoIFBJViBDYXJkJyBidXR0b24gYmVsb3cuZGQCAw8PFgQfAGUfAWhkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAwUeY3RsMDAkTWFpbkNvbnRlbnQkQ2hlY2tCb3hQT0FNBRNjdGwwMCRJQ2FuY2VsJGN0bDAxBRNjdGwwMCRJQ2FuY2VsJGN0bDAzLS/FM9A6VVP18RwsD2IC7Rg/xts=" detail="System.Web.HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

See http://go.microsoft.com/fwlink/?LinkID=314055 for more information. ---> System.Web.UI.ViewStateException: Invalid viewstate. 
	Client IP: 127.0.0.1
	Port: 64307
	Referer: https://localhost:48044/Account/Login.aspx?ReturnUrl=%2f
	Path: /Account/Login.aspx
	User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
	ViewState: /12345678905NTIyMjMwNQ9kFgJmD2QWBAIBD2QWAgIKD2QWAgIBD2QWAmYPDxYEHgRUZXh0BSFSZWxlYXNlIDEwLjguMTogTG9jYWwgRGV2ZWxvcG1lbnQeB1Zpc2libGVnZGQCAw9kFgQCBQ88KwANAQAPFgIeC18hRGF0YUJvdW5kZ2RkAggPZBYGZg8PFgIfAAVPRW50ZXIgeW91ciB1c2VybmFtZSwgcGFzc3dvcmQsIG9yIGluc2VydCB5b3VyIFBJViBDYXJkIGFuZCBjaGVjayB0aGUgYm94IGJlbG93LmRkAgMPDxYCHwFnZGQCBA8PFgIfAWdkFgQCAQ8PFgIfAAVyUGxlYXNlIGluc2VydCB5b3VyIFBJViBDYXJkIGludG8geW91ciB3b3Jrc3RhdGlvbidzIGNhcmQgcmVhZGVyLCBhbmQgY2xpY2sgdGhlICdMb2dpbiBXaXRoIFBJViBDYXJkJyBidXR0b24gYmVsb3cuZGQCAw8PFgQfAGUfAWhkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAwUeY3RsMDAkTWFpbkNvbnRlbnQkQ2hlY2tCb3hQT0FNBRNjdGwwMCRJQ2FuY2VsJGN0bDAxBRNjdGwwMCRJQ2FuY2VsJGN0bDAzLS/FM9A6VVP18RwsD2IC7Rg/xts=
 at System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError)
 at System.Web.UI.ObjectStateFormatter.Deserialize(String inputString, Purpose purpose)
 at System.Web.UI.Util.DeserializeWithAssert(IStateFormatter2 formatter, String serializedState, Purpose purpose)
 at System.Web.UI.HiddenFieldPageStatePersister.Load()
 at System.Web.UI.Page.LoadPageStateFromPersistenceMedium()
 at System.Web.UI.Page.LoadAllState()
 at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
 at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
 at System.Web.UI.Page.ProcessRequest()
 at System.Web.UI.Page.ProcessRequest(HttpContext context)
 at ASP.account_login_aspx.ProcessRequest(HttpContext context) in c:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\277b2a97\3a0c0b22\App_Web_tivyflc5.0.cs:line 0
 at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
 at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)" time="2017-08-14T21:15:21.9999720Z" statusCode="500" webHostHtmlMessage="<!DOCTYPE html>
<html>
 <head>
 <title>Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that &lt;machineKey&gt; configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.<br><br>See http://go.microsoft.com/fwlink/?LinkID=314055 for more information.</title>
 <meta name="viewport" content="width=device-width" />
 <style>
 body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} 
 p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
 b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
 H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
 H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
 pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}
 .marker {font-weight: bold; color: black;text-decoration: none;}
 .version {color: gray;}
 .error {margin-bottom: 10px;}
 .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
 @media screen and (max-width: 639px) {
 pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }
 }
 @media screen and (max-width: 479px) {
 pre { width: 280px; }
 }
 </style>
 </head>

 <body bgcolor="white">

 <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>

 <h2> <i>Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that &lt;machineKey&gt; configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.<br><br>See http://go.microsoft.com/fwlink/?LinkID=314055 for more information.</i> </h2></span>

 <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

 <b> Description: </b>An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

 <br><br>

 <b> Exception Details: </b>System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that &lt;machineKey&gt; configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.<br><br>See http://go.microsoft.com/fwlink/?LinkID=314055 for more information.<br><br>

 <b>Source Error:</b> <br><br>

 <table width=100% bgcolor="#ffffcc">
 <tr>
 <td>
 <code><pre>

[No relevant source lines]</pre></code>

 </td>
 </tr>
 </table>

 <br>

 <b> Source File: </b> c:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\277b2a97\3a0c0b22\App_Web_tivyflc5.0.cs<b> &nbsp;&nbsp; Line: </b> 0
 <br><br>

 <b>Stack Trace:</b> <br><br>

 <table width=100% bgcolor="#ffffcc">
 <tr>
 <td>
 <code><pre>

[ViewStateException: Invalid viewstate. 
	Client IP: 127.0.0.1
	Port: 64307
	Referer: https://localhost:48044/Account/Login.aspx?ReturnUrl=%2f
	Path: /Account/Login.aspx
	User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
	ViewState: /12345678905NTIyMjMwNQ9kFgJmD2QWBAIBD2QWAgIKD2QWAgIBD2QWAmYPDxYEHgRUZXh0BSFSZWxlYXNlIDEwLjguMTogTG9jYWwgRGV2ZWxvcG1lbnQeB1Zpc2libGVnZGQCAw9kFgQCBQ88KwANAQAPFgIeC18hRGF0YUJvdW5kZ2RkAggPZBYGZg8PFgIfAAVPRW50ZXIgeW91ciB1c2VybmFtZSwgcGFzc3dvcmQsIG9yIGluc2VydCB5b3VyIFBJViBDYXJkIGFuZCBjaGVjayB0aGUgYm94IGJlbG93LmRkAgMPDxYCHwFnZGQCBA8PFgIfAWdkFgQCAQ8PFgIfAAVyUGxlYXNlIGluc2VydCB5b3VyIFBJViBDYXJkIGludG8geW91ciB3b3Jrc3RhdGlvbidzIGNhcmQgcmVhZGVyLCBhbmQgY2xpY2sgdGhlICdMb2dpbiBXaXRoIFBJViBDYXJkJyBidXR0b24gYmVsb3cuZGQCAw8PFgQfAGUfAWhkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAwUeY3RsMDAkTWFpbkNvbnRlbnQkQ2hlY2tCb3hQT0FNBRNjdGwwMCRJQ2FuY2VsJGN0bDAxBRNjdGwwMCRJQ2FuY2VsJGN0bDAzLS/FM9A6VVP18RwsD2IC7Rg/xts=]

[HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that &lt;machineKey&gt; configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

See http://go.microsoft.com/fwlink/?LinkID=314055 for more information.]
 System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError) +153
 System.Web.UI.ObjectStateFormatter.Deserialize(String inputString, Purpose purpose) +912
 System.Web.UI.Util.DeserializeWithAssert(IStateFormatter2 formatter, String serializedState, Purpose purpose) +61
 System.Web.UI.HiddenFieldPageStatePersister.Load() +309
 System.Web.UI.Page.LoadPageStateFromPersistenceMedium() +367
 System.Web.UI.Page.LoadAllState() +46
 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +9527
 System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +355
 System.Web.UI.Page.ProcessRequest() +75
 System.Web.UI.Page.ProcessRequest(HttpContext context) +70
 ASP.account_login_aspx.ProcessRequest(HttpContext context) in c:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\277b2a97\3a0c0b22\App_Web_tivyflc5.0.cs:0
 System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +798
 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously) +91
</pre></code>

 </td>
 </tr>
 </table>

 <br>

 </body>
</html>
"> <serverVariables> <item name="ALL_HTTP"> <value string="HTTP_CACHE_CONTROL:no-cache
HTTP_CONNECTION:Keep-Alive
HTTP_CONTENT_LENGTH:1369
HTTP_CONTENT_TYPE:application/x-www-form-urlencoded
HTTP_ACCEPT:text/html, application/xhtml+xml, */*
HTTP_ACCEPT_ENCODING:gzip, deflate
HTTP_ACCEPT_LANGUAGE:en-US
HTTP_HOST:localhost:48044
HTTP_REFERER:https://localhost:48044/Account/Login.aspx?ReturnUrl=%2f
HTTP_USER_AGENT:Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
" /> </item> <item name="ALL_RAW"> <value string="Cache-Control: no-cache
Connection: Keep-Alive
Content-Length: 1369
Content-Type: application/x-www-form-urlencoded
Accept: text/html, application/xhtml+xml, */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Host: localhost:48044
Referer: https://localhost:48044/Account/Login.aspx?ReturnUrl=%2f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
" /> </item> <item name="APPL_MD_PATH"> <value string="/LM/W3SVC/2/ROOT" /> </item> <item name="APPL_PHYSICAL_PATH"> <value string="C:\JJJ\FFF2v2\DEV_MVC\Prototype\FFF.Admin\FFF2\" /> </item> <item name="AUTH_TYPE"> <value string="" /> </item> <item name="AUTH_USER"> <value string="" /> </item> <item name="AUTH_PASSWORD"> <value string="*****" /> </item> <item name="LOGON_USER"> <value string="" /> </item> <item name="REMOTE_USER"> <value string="" /> </item> <item name="CERT_COOKIE"> <value string="a4b74eb1dcfd75b321ea17b5486687b91900001103c95854d42f7d0345d17c83" /> </item> <item name="CERT_FLAGS"> <value string="1" /> </item> <item name="CERT_ISSUER"> <value string="C=US, O=Entrust, OU=Certification Authorities, OU=Entrust Managed Services SSP CA" /> </item> <item name="CERT_KEYSIZE"> <value string="256" /> </item> <item name="CERT_SECRETKEYSIZE"> <value string="1024" /> </item> <item name="CERT_SERIALNUMBER"> <value string="49-4a-2a-2c" /> </item> <item name="CERT_SERVER_ISSUER"> <value string="CN=localhost" /> </item> <item name="CERT_SERVER_SUBJECT"> <value string="CN=localhost" /> </item> <item name="CERT_SUBJECT"> <value string="C=US, O=U.S. Company, OU=Dept of EE, OU=CIV, CN=GGGG UUU (Affiliate) + OID.0.9.2342.19200300.100.1.1=15001003062231" /> </item> <item name="CONTENT_LENGTH"> <value string="1369" /> </item> <item name="CONTENT_TYPE"> <value string="application/x-www-form-urlencoded" /> </item> <item name="GATEWAY_INTERFACE"> <value string="CGI/1.1" /> </item> <item name="HTTPS"> <value string="on" /> </item> <item name="HTTPS_KEYSIZE"> <value string="256" /> </item> <item name="HTTPS_SECRETKEYSIZE"> <value string="1024" /> </item> <item name="HTTPS_SERVER_ISSUER"> <value string="CN=localhost" /> </item> <item name="HTTPS_SERVER_SUBJECT"> <value string="CN=localhost" /> </item> <item name="INSTANCE_ID"> <value string="2" /> </item> <item name="INSTANCE_META_PATH"> <value string="/LM/W3SVC/2" /> </item> <item name="LOCAL_ADDR"> <value string="127.0.0.1" /> </item> <item name="PATH_INFO"> <value string="/Account/Login.aspx" /> </item> <item name="PATH_TRANSLATED"> <value string="C:\JJJ\FFF2v2\DEV_MVC\Prototype\FFF.Admin\FFF2\Account\Login.aspx" /> </item> <item name="QUERY_STRING"> <value string="ReturnUrl=%2f" /> </item> <item name="REMOTE_ADDR"> <value string="127.0.0.1" /> </item> <item name="REMOTE_HOST"> <value string="127.0.0.1" /> </item> <item name="REMOTE_PORT"> <value string="64307" /> </item> <item name="REQUEST_METHOD"> <value string="POST" /> </item> <item name="SCRIPT_NAME"> <value string="/Account/Login.aspx" /> </item> <item name="SERVER_NAME"> <value string="localhost" /> </item> <item name="SERVER_PORT"> <value string="48044" /> </item> <item name="SERVER_PORT_SECURE"> <value string="1" /> </item> <item name="SERVER_PROTOCOL"> <value string="HTTP/1.1" /> </item> <item name="SERVER_SOFTWARE"> <value string="Microsoft-IIS/7.5" /> </item> <item name="URL"> <value string="/Account/Login.aspx" /> </item> <item name="HTTP_CACHE_CONTROL"> <value string="no-cache" /> </item> <item name="HTTP_CONNECTION"> <value string="Keep-Alive" /> </item> <item name="HTTP_CONTENT_LENGTH"> <value string="1369" /> </item> <item name="HTTP_CONTENT_TYPE"> <value string="application/x-www-form-urlencoded" /> </item> <item name="HTTP_ACCEPT"> <value string="text/html, application/xhtml+xml, */*" /> </item> <item name="HTTP_ACCEPT_ENCODING"> <value string="gzip, deflate" /> </item> <item name="HTTP_ACCEPT_LANGUAGE"> <value string="en-US" /> </item> <item name="HTTP_HOST"> <value string="localhost:48044" /> </item> <item name="HTTP_REFERER"> <value string="https://localhost:48044/Account/Login.aspx?ReturnUrl=%2f" /> </item> <item name="HTTP_USER_AGENT"> <value string="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" /> </item> <item name="IS_LOGIN_PAGE"> <value string="1" /> </item> </serverVariables> <queryString> <item name="ReturnUrl"> <value string="/" /> </item> </queryString> <form> <item name="__EVENTTARGET"> <value string="" /> </item> <item name="__EVENTARGUMENT"> <value string="" /> </item> <item name="__VIEWSTATE"> <value string="/12345678905NTIyMjMwNQ9kFgJmD2QWBAIBD2QWAgIKD2QWAgIBD2QWAmYPDxYEHgRUZXh0BSFSZWxlYXNlIDEwLjguMTogTG9jYWwgRGV2ZWxvcG1lbnQeB1Zpc2libGVnZGQCAw9kFgQCBQ88KwANAQAPFgIeC18hRGF0YUJvdW5kZ2RkAggPZBYGZg8PFgIfAAVPRW50ZXIgeW91ciB1c2VybmFtZSwgcGFzc3dvcmQsIG9yIGluc2VydCB5b3VyIFBJViBDYXJkIGFuZCBjaGVjayB0aGUgYm94IGJlbG93LmRkAgMPDxYCHwFnZGQCBA8PFgIfAWdkFgQCAQ8PFgIfAAVyUGxlYXNlIGluc2VydCB5b3VyIFBJViBDYXJkIGludG8geW91ciB3b3Jrc3RhdGlvbidzIGNhcmQgcmVhZGVyLCBhbmQgY2xpY2sgdGhlICdMb2dpbiBXaXRoIFBJViBDYXJkJyBidXR0b24gYmVsb3cuZGQCAw8PFgQfAGUfAWhkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAwUeY3RsMDAkTWFpbkNvbnRlbnQkQ2hlY2tCb3hQT0FNBRNjdGwwMCRJQ2FuY2VsJGN0bDAxBRNjdGwwMCRJQ2FuY2VsJGN0bDAzLS/FM9A6VVP18RwsD2IC7Rg/xts=" /> </item> <item name="__EVENTVALIDATION"> <value string="/wEd22ySLZWi7YKvA222Ghxs5i/gdgSlZayxK222UBT+LqAPEQXWHOQW8ippJhMjXGvdzYpORp2222qSEthdF2fKQKT3+gipLj222/Qq2a+jO7Sdw69cI2b222177ItZkMEJTRS1W7nAjfkkQn8EsSZ7gk+2222hijOlATDRMbKYdiBI3/E22xjXszlb3Zt02VABJbFgx61+Zyi3222hiddMDq06RoW1pAPcBZaBtZ5cjbMK6KAeH/L222TzxQxNLc5z7Kkxgno0Zw1m8I6glrnouRiEmp0Grg==" /> </item> <item name="ctl00$RegistrationID"> <value string="" /> </item> <item name="ctl00$MainContent$hfreadconsent"> <value string="yes" /> </item> <item name="ctl00$MainContent$UserLogin$UserName"> <value string="" /> </item> <item name="ctl00$MainContent$UserLogin$Password"> <value string="" /> </item> <item name="ctl00$MainContent$btnLoginWithSmartCard"> <value string="Login With Smart Card" /> </item> <item name="ctl00$MainContent$CheckBoxPOAM"> <value string="on" /> </item> <item name="__VIEWSTATEGENERATOR"> <value string="CD85D8D2" /> </item> </form> <cookies> <item name="__AntiXsrfToken"> <value string="58a7763a00bb42c286d47ac3ba217e64" /> </item> </cookies> </error>
Thanks
Edit 1: after executed document.execCommand('ClearAuthenticationCache'); I follow with document.location.href="/";. Now the error goes away after reloaded the root Url. However the reloaded page still caches the PIN. It allowed me to directly log in after selected the popped out certificate without further asked for a PIN number. Do not know why "ClearAuthenticationCache" can not clear cached pin.
回答1:
This may answer my question - The client just sends a certificate to the server. The server could force the client to resend the certificate. But server has no idea where the browser got the certificate from - that's some OS (or 3rd party provider) code that talks to the smart card. It's up to that provider to determine when the user should be re-prompted to access the smart card.
来源:https://stackoverflow.com/questions/45683824/smart-card-relogin-failed-with-message-validation-of-viewstate-mac-failed-afte